i'm integrating apache + kerberos5 + openldap, with the goal of using
kerberos credentials to authenticate web app access.

krb5 & openldap are both up-n-running standalone, as is apache.

for apache auth, i've read through the OpenLdap & Krb5 SysAdm guides and,
iiuc, i can either

(a) use mod_auth_ldap for auth, with ldap pointed at a krb5 keytab
containing authorized principals' credentials,

or,

(b) use mod_auth_krb5 for auth, with ldap setup as krb5's backend db, e.g.,
dbmodule:db_library = kldap

if, in fact, both are options, which usage is recommended?